BILL ANALYSIS

 

 

 

C.S.S.B. 1610

By: Schwertner

Public Health

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Recent legislation enhanced the protection of personal health information. Unfortunately, it has been reported that certain provisions of the legislation have resulted in unintended consequences. Interested parties assert that current law relating to notification of certain security breaches unintentionally requires any person who handles personal health information to be aware of the breach notification laws of every state and any potential changes to them, which creates a substantial and unnecessary administrative burden on professionals who handle personal health information in Texas. C.S.S.B. 1610 seeks to clarify this issue.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.S.B. 1610 amends the Business & Commerce Code to remove language limiting the application of a notification requirement regarding a breach of security of computerized data that includes sensitive personal information to circumstances in which the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a Texas resident or a resident of another state that does not require such notification. The bill removes language establishing that, if an individual whose information was or may have been acquired by a unauthorized person is a resident of a state that requires notification of such a breach, notice provided under that state's law satisfies that notification requirement and instead authorizes notice to be provided to such an individual under that state's law or under Texas law. The bill specifies that written notice of a security breach must be provided to the last known address of the individual.

 

EFFECTIVE DATE

 

On passage, or, if the bill does not receive the necessary vote, September 1, 2013.

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

While C.S.S.B. 1610 may differ from the engrossed version in minor or nonsubstantive ways, the following comparison is organized and highlighted in a manner that indicates the substantial differences between the engrossed and committee substitute versions of the bill.

 

SENATE ENGROSSED

HOUSE COMMITTEE SUBSTITUTE

SECTION 1.  Subsection (e), Section 521.053, Business & Commerce Code, is amended to read as follows:

 

(Repealed in SECTION 2, below.)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(e)  A person may give notice as required by Subsection (b) or (c) by providing:

(1)  written notice at the last known address of the individual;

(2)  electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001; or

(3)  notice as provided by Subsection (f).

 

SECTION 1.  Sections 521.053(b-1) and (e), Business & Commerce Code, are amended to read as follows:

 

(b-1)  If [Notwithstanding Subsection (b), the requirements of Subsection (b) apply only if] the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident [of this state or another state that does not require a person described by Subsection (b) to notify the individual of a breach of system security.  If the individual is a resident] of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security required under Subsection (b) may be provided under that state's law or under [satisfies the requirements of] Subsection (b).

(e)  A person may give notice as required by Subsection (b) or (c) by providing:

(1)  written notice at the last known address of the individual;

(2)  electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001; or

(3)  notice as provided by Subsection (f).

 

SECTION 2.  Subsection (b-1), Section 521.053, Business & Commerce Code, is repealed.

 

No equivalent provision.

 

SECTION 3.  This Act takes effect immediately if it receives a vote of two-thirds of all the members elected to each house, as provided by Section 39, Article III, Texas Constitution.  If this Act does not receive the vote necessary for immediate effect, this Act takes effect September 1, 2013.

 

SECTION 2. Same as engrossed version.